Packagist (Composer) package
in2code/powermail
pkg:composer/in2code/powermail
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-7899 | Med | — | >= 12.0.0, < 12.5.3 | 12.5.3 | Jul 22, 2025 | The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 | |
| CVE-2024-47047 | — | < 7.5.1 | 7.5.1 | Sep 17, 2024 | An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitte | ||
| CVE-2024-45233 | — | < 7.5.0 | 7.5.0 | Aug 28, 2024 | An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail | ||
| CVE-2024-45232 | — | >= 11.0.0, < 12.4.0 | 12.4.0 | Aug 28, 2024 | An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all for | ||
| CVE-2014-6288 | — | >= 2.0.0, < 2.0.11 | 2.0.11 | Oct 3, 2014 | The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors. | ||
| CVE-2014-3947 | — | < 1.6.11 | 1.6.11 | Oct 3, 2014 | Unrestricted file upload vulnerability in the powermail extension before 1.6.11 and 2.x before 2.0.14 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with a crafted extension, then accessing it via unspecified vectors. | ||
| CVE-2012-5889 | — | < 1.6.5 | 1.6.5 | Nov 17, 2012 | Cross-site scripting (XSS) vulnerability in the powermail extension before 1.6.5 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2010-3604 | — | < 1.5.4 | 1.5.4 | Sep 24, 2010 | SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2010-0329 | — | < 1.5.2 | 1.5.2 | Jan 15, 2010 | SQL injection vulnerability in the powermail extension 1.5.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to the "SQL selection field" and "typoscript." |
- affected >= 12.0.0, < 12.5.3fixed 12.5.3
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0
- CVE-2024-47047Sep 17, 2024affected < 7.5.1fixed 7.5.1
An issue was discovered in the powermail extension through 12.4.0 for TYPO3. It fails to validate the mail parameter of the createAction, resulting in Insecure Direct Object Reference (IDOR) in some configurations. An unauthenticated attacker can use this to display user-submitte
- CVE-2024-45233Aug 28, 2024affected < 7.5.0fixed 7.5.0
An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail
- CVE-2024-45232Aug 28, 2024affected >= 11.0.0, < 12.4.0fixed 12.4.0
An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all for
- CVE-2014-6288Oct 3, 2014affected >= 2.0.0, < 2.0.11fixed 2.0.11
The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors.
- CVE-2014-3947Oct 3, 2014affected < 1.6.11fixed 1.6.11
Unrestricted file upload vulnerability in the powermail extension before 1.6.11 and 2.x before 2.0.14 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with a crafted extension, then accessing it via unspecified vectors.
- CVE-2012-5889Nov 17, 2012affected < 1.6.5fixed 1.6.5
Cross-site scripting (XSS) vulnerability in the powermail extension before 1.6.5 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2010-3604Sep 24, 2010affected < 1.5.4fixed 1.5.4
SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
- CVE-2010-0329Jan 15, 2010affected < 1.5.2fixed 1.5.2
SQL injection vulnerability in the powermail extension 1.5.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to the "SQL selection field" and "typoscript."